Rethinking Enterprise Remote Access VPN Solutions: Designing Scalable VPN Connectivity

Dave Greenfield
November 2, 2020

The global pandemic has forced many organizations around the world to send their workers home to support social distancing mandates. The process happened suddenly – almost overnight – giving companies little time to prepare for so many people to work remotely. To keep business functioning as best as possible, enterprises need to provide secure remote connectivity to the corporate network and cloud-based resources for their remote workers.

Many companies turned to their existing VPN infrastructure, beefing up the terminating appliances in the datacenter with additional capacity to support hundreds or thousands of new work from home (WFH) users. In the early days of Coronavirus lockdowns, some countries saw a surge in VPN use that more than doubled the typical pre-pandemic demand. However, VPN infrastructure isn’t designed to support an entire workforce. As organizations contemplate an extended or even permanent switch to WFH, investing in a secure, scalable connectivity solution is essential.

Enterprise VPN Solutions are Not Designed for Distributed Workforces

VPNs are designed for point-to-point connectivity. Each secure connection between two points requires its own VPN link for routing traffic over an existing path. For people working from home, this path is going to be the public Internet. The VPN software creates a virtual private tunnel over which the user’s traffic goes from Point A (e.g., the home office or a remote work location) to Point B (usually a terminating appliance in a corporate datacenter). Each terminating appliance has a finite capacity for simultaneous users. VPN visibility is limited when companies deploy multiple disparate appliances.

Pre-pandemic, many organizations had sufficient VPN capacity to support between 10 and 20 percent of their workforce as short-duration remote users at any given time. This supported employees temporarily working from hotels and customer sites as well as from their homes. Once the pandemic restrictions forced people to isolate at home, companies saw their VPN usage shoot up to as much as 50 to 70 percent of the workforce. It was a real challenge to quickly scale capacity because the number of required VPN links for continuous connectivity scales exponentially with the number of remote sites.

Security is a considerable concern when VPNs are used. While the tunnel itself is encrypted, the traffic traveling within that tunnel is not inspected for malware or other threats. To maintain security, the traffic must be routed through a security stack at its terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load. Simply put, providing security for VPN traffic is expensive and complex to manage.

Another issue with VPNs is that they provide overly broad access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. What’s more, stolen VPN credentials have been implicated in several high-profile data breaches. By using legitimate credentials and connecting through a VPN, attackers were able to infiltrate and move freely through targeted company networks.

Of further concern, VPNs themselves can harbor significant vulnerabilities, an issue we noted in a recent post. NIST’s Vulnerability Database has published over 100 new CVEs for VPNs since last January.

SASE Provides a Simpler, More Secure, Scalable Solution Compared to VPN Solutions

In mid-2019, Gartner introduced a new cloud-native architectural framework to deliver secure global connectivity to all locations and users. Gartner analysts named this architecture the Secure Access Service Edge (or SASE). Cato Networks is recognized as offering the world’s first global SASE platform.

Cato’s SASE platform is built as the core network and security infrastructure of the business, and not just as a remote access solution. It offers unprecedented levels of scalability, availability, and performance to all enterprise resources.

It so happens that SASE is an ideal VPN alternative. SASE offers scalable access, optimized connectivity, and integrated threat prevention that are needed to support continuous large-scale remote access. There are several ways that Cato’s SASE platform outperforms a traditional VPN solution.

First, the SASE service seamlessly scales to support any number of end-users globally. There is no need to set up regional hubs or VPN concentrators. The SASE service is built on top of dozens of globally distributed Points of Presence (PoPs) to deliver a wide range of security and networking services, including remote access, close to all locations and users.

Second, availability is inherently designed into Cato’s SASE service. Each resource – a location, a user, or a cloud – establishes a tunnel to the nearest SASE PoP. Each PoP is built from multiple redundant compute nodes for local resiliency, and multiple regional PoPs dynamically back up one another. The SASE tunnel management system automatically seeks an available PoP to deliver continuous service, so the customer doesn’t have to worry about high availability design and redundancy planning.

Third, SASE PoPs are interconnected with a private backbone and closely peer with cloud providers, to ensure optimal routing from each edge to each application. This is in contrast with the use of the public Internet to connect to users to the corporate network.

Fourth, since all traffic passes through a full network security stack built into the SASE service, multi-factor authentication, full access control, and threat prevention are applied. Because the SASE service is globally distributed, SASE avoids the trombone effect associated with forcing traffic to specific security choke points on the network. All processing is done within the PoP closest to the users while enforcing all corporate network and security policies.

And lastly, Cato’s SASE platform employs Zero Trust Network Architecture in granting users access to the specific resources and applications they need to use. This granular-level is part of the identity-driven approach to network access that SASE demands.

SASE is Well-Suited to Remote Work

Enterprises that enable WFH using the Cato Networks SASE platform can scale quickly to any number of remote users without worry. The complexity of scaling is all hidden in the Cato-provided PoPs, so there is no infrastructure for the organization to purchase, configure or deploy. Giving end users remote access is as simple as installing a client agent on the user’s device, or by providing clientless access to specific applications via a secure browser.

Security is decentralized, located at the PoPs, which reduces the load on infrastructure in the company’s datacenter. Routing and security are integrated at this network edge. Thus, security administrators can choose to inspect business traffic and ignore personal traffic at the PoP. Moreover, traffic can be routed directly and securely to cloud infrastructure from the PoP instead of forcing it to a central datacenter first. Further, admins have consistent visibility and control of all traffic throughout the enterprise WAN.

<h2>WFH Employees Have Secure and Productive Access to the Corporate Network</h2>

While some workers are venturing back to their offices, many more are still working from home—and may work from home permanently. The Cato SASE platform is the ideal way to give them access to their usual network environment without forcing them to go through insecure and inconvenient VPNs.

Dave Greenfield

Dave Greenfield

Dave Greenfield is a veteran of IT industry. He’s spent more than 20 years as an award-winning journalist and independent technology consultant. Today, he serves as a secure networking evangelist for Cato Networks.